Wednesday, 10 February 2016

With the introduction of IOS 8.3 there were some fundemental changes to the why NAT'ing was done.

One of these changes was that NAT exemptions (NAT 0) no longer existed - rather you are now required to do a Identity NAT instead - depedent on scenerio this can either be done using Auto NAT OR Manual NAT. For example if we wanted to ensure traffic between two networks is ommited from being 'NAT'd' - we could define a Policy Base Identity NAT - e.g:

The NAT rule above basically translates the source to itself if the destination matches up - otherwise if the destination is different it simply won't be used.

The way in which ACL's are applied on interfaces has also changed with 8.3 - Pre 8.3 when allowing traffic that was to be NAT'd on an interface you would define an explicit rule to allow the untranslated packet access inbound - for example:

In the event that a packet was destined for your outside interface of which was assigned a public IP of 88.77.66.55 - that had a NAT rule to then forward this packet by NAT translation to an IP (192.168.10.10) in your DMZ - you would add an ACL to permit traffic to 88.77.66.55. Although in 8.3 the packet is now untranslated before checking the interface ACL's - this means we would rather add a rule allowing access to the DMZ IP instead! (192.168.10.10)

Auto NAT is configured within a network object. An advantage of Auto NAT is that it will automatcially organize NAT rules, preventing any collisons. Although this comes at a price of granularity as you are unable to make a translation decision based on destination unlike that of manual NAT.

An example of auto nat that provides dynamic PAT for inside clients out to the internet: